Google has upped the ante by announcing $1 million worth of prizes to those …

Share this story

Google has pledged cash prizes totaling $1 million to people who successfully hack its Chrome browser at next week's CanSecWest security conference.

Google will reward winning contestants with prizes of $60,000, $40,000, and $20,000 depending on the severity of the exploits they demonstrate on Windows 7 machines running the browser. Members of the company's security team announced the Pwnium contest on their blog on Monday. There is no splitting of winnings, and prizes will be awarded on a first-come-first-served basis until the $1 million threshold is reached.

Now in its sixth year, the Pwn2Own contest at the same CanSecWest conference awards valuable prizes to those who remotely commandeer computers by exploiting vulnerabilities in fully patched browsers and other Internet software. At last year's competition, Internet Explorer and Safari were both toppled but no one even attempted an exploit against Chrome (despite Google offering an additional $20,000 beyond the $15,000 provided by contest organizer Tipping Point).

Chrome is currently the only browser eligible for Pwn2Own never to be brought down. One reason repeatedly cited by contestants for its lack of attention is the difficulty of bypassing Google's security sandbox.

"While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve," wrote Chris Evans and Justin Schuh, members of the Google Chrome security team. "To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards."

In the same blog post, the researchers said Google was withdrawing as a sponsor of the Pwn2Own contest after discovering rule changes allowing hackers to collect prizes without always revealing the full details of the vulnerabilities to browser makers.

"Specifically, they do not have to reveal the sandbox escape component of their exploit," a Google spokeswoman wrote in an email to Ars. "Sandbox escapes are very dangerous bugs so it is not in the best interests of user safety to have these kept secret. The whitehat community needs to fix them and study them. Our ultimate goal here is to make the web safer."

In a tweet, Aaron Portnoy, one of the Pwn2Own organizers, took issue with Google's characterization that the rules had changed and said that the contest has never required the disclosure of sandbox escapes.

Ars will have full coverage of Pwn2Own, which commences on Wednesday, March 7.

Updated to make clear Pwnium is a contest that's separate from Pwn2Own and to add comment from Portnoy.

Let me see, I'll take the low $20,000 and let a multi-billion dollar business to learn about its weak point so they can improve their product and make a few more billion from it. Let me think about it and get back to you, Google.

Google is smart but am I stupid?

BTW, I know nothing about hacking, I couldn't even know how to hack my own LAN. As a multi-billion dollar company please don't f*ck with our intelligence. That's all I'm saying.

Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive -- not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.

While I have no doubt they're sincere with their "we need the exploits" comment, I am pretty sure that wasn't what the people with the money was thinking when they got the request...$1 million on a pr campaign could hardly buy the kind of publicity they're getting now.

Let me see, I'll take the low $20,000 and let a multi-billion dollar business to learn about its weak point so they can improve their product and make a few more billion from it. Let me think about it and get back to you, Google.

Google is smart but am I stupid?

BTW, I know nothing about hacking, I couldn't even know how to hack my own LAN. As a multi-billion dollar company please don't f*ck with our intelligence. That's all I'm saying.

yeah cause that's how Google made all its money, the security provisions on their browser.....

Let me see, I'll take the low $20,000 and let a multi-billion dollar business to learn about its weak point so they can improve their product and make a few more billion from it. Let me think about it and get back to you, Google.

Google is smart but am I stupid?

BTW, I know nothing about hacking, I couldn't even know how to hack my own LAN. As a multi-billion dollar company please don't f*ck with our intelligence. That's all I'm saying.

Um, I think you miss the point of these competitions. It's not just about the money. It's also about prestige and gives the gray and white hats a chance to show their stuff. Black hats do not show up to events like this, or report bugs at all. I'm not sure what you do for a living but $20,000 is no paltry sum of money. Granted google will use it to improve it to make their browser more marketable, but people report these things for free before presenting their findings at conferences all the time. So if you are a security researcher making $50,000 a year and extra $20,000 is not too shaby.

Let me see, I'll take the low $20,000 and let a multi-billion dollar business to learn about its weak point so they can improve their product and make a few more billion from it. Let me think about it and get back to you, Google.

Google is smart but am I stupid?

BTW, I know nothing about hacking, I couldn't even know how to hack my own LAN. As a multi-billion dollar company please don't f*ck with our intelligence. That's all I'm saying.

$20,000 isn't a bad offer. They're paying someone for a service. Yeah, Google is a multi-billion dollar company, but that doesn't mean they should just be throwing money away. Should they pay their cleaning service a million dollars a year because they're a billion dollar company? It's for a browser exploit, every browser has them, it's not life or death, it's not worth millions, or even hundreds of thousands of dollars to find. Chrome isn't even Google's bread and butter, you're making it sound like Google makes billions off of it. Bottom-line, they're a business, not a charity, $20,000 is more than fair for a few days, weeks, even a months worth of work done in, presumably, a hacker's free time (however long it takes someone to find one, each one is different).

So if you are a security researcher making $50,000 a year and extra $20,000 is not too shaby.

If you're a security researcher making $50K a year than you need to ask for a pretty huge raise.Anybody who is good at this stuff makes six figures. That said, $20 - $60K for an exploit seems pretty reasonable to me. Not sure what the black market pays but I don't think that it's huge bucks.

Let me see, I'll take the low $20,000 and let a multi-billion dollar business to learn about its weak point so they can improve their product and make a few more billion from it. Let me think about it and get back to you, Google.

Google is smart but am I stupid?

BTW, I know nothing about hacking, I couldn't even know how to hack my own LAN. As a multi-billion dollar company please don't f*ck with our intelligence. That's all I'm saying.

Not a bad deal even for a guy making a six figure salary. With that kind of money one can take another trip over Europe with his whole family for a month's expenses. That's not what I was complaining about, not the money.

It is, there's one thing I would considered first before I enter the building. Would I be safe if I exposed myself to the community that I could hack a Chrome? Not knowing there might be one or two undercover from the feds tailing my as* after I leave the building? To say the less. $20K no doubt is good for a few minutes work heck a billion dollar company CEO don't make that kind of buck in his few minutes work, but lets look at what will happen to me after this Chrome hack. Would I be under the feds' black list of its black hat list?

I want more money for myself to take on such risk (from the feds). Hey, don't get me wrong here, I'm not here to discouraging anyone for a try.

The title was a bit misleading. For I moment I thought Google would award $1 million to the first hacker that successfully exploit Chrome. It seems, however, it's the sum of the exploits adding to $1 million.

Not a bad deal even for a guy making a six figure salary. With that kind of money one can take another trip over Europe with his whole family for a month's expenses. That's not what I was complaining about, not the money.

It is, there's one thing I would considered first before I enter the building. Would I be safe if I exposed myself to the community that I could hack a Chrome? Not knowing there might be one or two undercover from the feds tailing my as* after I leave the building? To say the less. $20K no doubt is good for a few minutes work heck a billion dollar company CEO don't make that kind of buck in his few minutes work, but lets look at what will happen to me after this Chrome hack. Would I be under the feds' black list of its black hat list?

I want more money for myself to take on such risk (from the feds). Hey, don't get me wrong here, I'm not here to discouraging anyone for a try.

I wouldn't, even this means a huge sum for me.

WTF are you going on about? You know that this is not the first such hacking competition, nor the first time Google or other companies are paying bounties for people reporting exploits in their products? Nobody is going to be arrested for participating in this. That's ridiculous.

The title was a bit misleading. For I moment I thought Google would award $1 million to the first hacker that successfully exploit Chrome. It seems, however, it's the sum of the exploits adding to $1 million.

The title was a bit misleading. For I moment I thought Google would award $1 million to the first hacker that successfully exploit Chrome. It seems, however, it's the sum of the exploits adding to $1 million.

Yea I thought the same thing. Title though accurate was a bit misleading.

Evolution... What? Paranoid much? Do you honestly believe that the Feds are following these security researchers around the competition? I think tailing security researchers would be one of the most boring tasks for a fed ever. Who wants to sit there and watch a person sit in front of a computer looking at code for hours on end?

$20K no doubt is good for a few minutes work heck a billion dollar company CEO don't make that kind of buck in his few minutes work.

FYI a *lot* of work goes into discovering these exploits. Hackers don't just sit down at the computer and figure it out on the spot—they've already refined their technique ahead of time through many hours of work.

Let me see, I'll take the low $20,000 and let a multi-billion dollar business to learn about its weak point so they can improve their product and make a few more billion from it. Let me think about it and get back to you, Google.

Google is smart but am I stupid?

BTW, I know nothing about hacking, I couldn't even know how to hack my own LAN. As a multi-billion dollar company please don't f*ck with our intelligence. That's all I'm saying.

whoever said they are paying for a service is exactly right. There really is no difference between them paying a "reward" and them paying a "consultancy fee". I'm sure this reward includes a 1099, come January.

There's damn near exactly 2000 hours in a standard work year (40 hours a week, 52 weeks in a year, minus 2 of vacation). You REALLY think most people make less than $10/hr? Oh, wait, you were trying to be scathing. Carry on.

Not a bad deal even for a guy making a six figure salary. With that kind of money one can take another trip over Europe with his whole family for a month's expenses. That's not what I was complaining about, not the money.

It is, there's one thing I would considered first before I enter the building. Would I be safe if I exposed myself to the community that I could hack a Chrome? Not knowing there might be one or two undercover from the feds tailing my as* after I leave the building? To say the less. $20K no doubt is good for a few minutes work heck a billion dollar company CEO don't make that kind of buck in his few minutes work, but lets look at what will happen to me after this Chrome hack. Would I be under the feds' black list of its black hat list?

I want more money for myself to take on such risk (from the feds). Hey, don't get me wrong here, I'm not here to discouraging anyone for a try.

I wouldn't, even this means a huge sum for me.

Christ, this is bit too tinfoil hat even for me. Now that you've said all this, are you so sure you haven't already tipped yourself off to the feds? Someone with so much paranoia over gov't surveillance surely must be hiding something juicy. Nothing to be done for it now - you best sell all your stuff and get you a shack in Montana. But be discreet, otherwise the feds will tail you right to your hideout in the woods.

Also, $20k is more than half of what I made last year. Were I able to crack Chrome in even a minor way, you're goddamn right I'd take Google's money. That'd just about clear my wife's student loan debt :\

Not a bad deal even for a guy making a six figure salary. With that kind of money one can take another trip over Europe with his whole family for a month's expenses. That's not what I was complaining about, not the money.

It is, there's one thing I would considered first before I enter the building. Would I be safe if I exposed myself to the community that I could hack a Chrome? Not knowing there might be one or two undercover from the feds tailing my as* after I leave the building? To say the less. $20K no doubt is good for a few minutes work heck a billion dollar company CEO don't make that kind of buck in his few minutes work, but lets look at what will happen to me after this Chrome hack. Would I be under the feds' black list of its black hat list?

I want more money for myself to take on such risk (from the feds). Hey, don't get me wrong here, I'm not here to discouraging anyone for a try.

I wouldn't, even this means a huge sum for me.

Christ, this is bit too tinfoil hat even for me. Now that you've said all this, are you so sure you haven't already tipped yourself off to the feds? Someone with so much paranoia over gov't surveillance surely must be hiding something juicy. Nothing to be done for it now - you best sell all your stuff and get you a shack in Montana. But be discreet, otherwise the feds will tail you right to your hideout in the woods.

Actually, most people with that much government paranoia aren't hiding anything at all. That's the sad part; they're usually scared of nothing.

That's all that needs to be focused on ppl, the guy stirring up all this sh*t clearly stated in his first post he knows nothing about the subject area he is espousing about in his posts and as such should be ignored as the troll he is. His comments about being followed by the FBI clearly demonstrate the closest he has ever come to hacking is works of fiction or the movies (maybe he watched "24" one too many times who knows), the point is he clearly knows less than nothing about any of this and is eminently unqualified to comment on any aspect of it.

For the sake of the rest of us, PLEASE IGNORE THE BLINDINGLY OBVIOUS TROLL!!! Thanks.

Given all the attentions lately about cracking down on Internet crimes from the big brothers -- WikiLeak, Kim Dotcom, and what was that news about environmental protester(s) (tree lovers?) got herself on feds black list? Yea I got a very good legitimate reason on me being paranoia toward our government policy.

You would never know, until then, it's too late.

Hacking is a crime. Don't forget that. Showing off to the public how I am able to hack isn't a good idea for my best interest and for any amount of money available to me. I'll tell you this, it might not enough for my lawyer's fee.

If you are not paranoia, good for you. Stay that way, you'll be okey, I hope. But let me stretch this a bit further if I may, being paranoia may not be so bad, your good fortune may last for a bit longer than to those who have no idea how our law enforcements spend their 9 to 5 work hours, which most of you folks here have more info than me have.

Given all the attentions lately about cracking down on Internet crimes from the big brothers -- WikiLeak, Kim Dotcom, and what was that news about environmental protester(s) (tree lovers?) got herself on feds black list? Yea I got a very good legitimate reason on me being paranoia toward our government policy.

You would never know, until then, it's too late.

Hacking is a crime. Don't forget that. Showing off to the public how I am able to hack isn't a good idea for my best interest and for any amount of money available to me. I'll tell you this, it might not enough for my lawyer's fee.

If you are not paranoia, good for you. Stay that way, you'll be okey, I hope. But let me stretch this a bit further if I may, being paranoia may not be so bad, your good fortune may last for a bit longer than to those who have no idea how our law enforcements spend their 9 to 5 work hours, which most of you folks here have more info than me have.

Be save, brothers and sisters.

And when the government is done arresting all the security experts (in this fantasy world of yours), who do they hire to keep us safe from cyberterrorists and hackers hired by foreign governments?

why is it only chrome on a windows 7 computer? I'm pretty sure that some hotshot white/grey/black hacker can probably hack his way into my chrome running on a snow leopard macbook. As google said, if that can happen it would be really nice for it to happen on a controlled environment so that they can fix it and i can continue using my computer securely without worries.

$1 million on a pr campaign could hardly buy the kind of publicity they're getting now.

They are getting almost 0 publicity from that :- Pwn2Own is an event for the hackers community, I doubt anyone in that community failed to notice that there is a browser named Chrome that was made by Google some years ago.- Even more general outlets that report on Pwn2Own such as Ars are still very technology-oriented outlets with an educated readership. They also know about Chrome- You could argue that people will say "nobody pwned Chrome yet, so I should switch to it". However I think among the technology-oriented crowd, people choose their browser because of personal preferences ("Firefox has better plugins", "Chrome is snappier", "I'm on Mac, Safari is better there") rather than the number of exploits currently found for browser X.

And when the government is done arresting all the security experts (in this fantasy world of yours), who do they hire to keep us safe from cyberterrorists and hackers hired by foreign governments?

Have you come face to face with a known cyberterrorist in your experiences? When was the last time you got hacked? None? Then why worry about it? It's a fantasy for the government to locked up all the security experts/hackers. They wish they have, it'll never happened and you know that. So why worry about it?

George W. Bush had a thing used to called Preemptive Strike that got my knees shaking. The suits still here. I supposed you haven't forgotten what that meant have you? It meant to have you locked up before you even make your first move. That's what that meant. Saddam got it on him.

Our local police departments have a unit which called itself something like Provision Detail. What those guys doing in that Detail is to lock you up before you make your first strike. That unit also got my knees shaking. Matter of fact as of this typing, my knees were shaking. Well at least one of my knee was. :-)

Google may have a good intention on this contest. Bless them. I hope they got what they wanted. Our big brothers don't necessary have a good sense of humor to play along on this contest. They don't play. When you've shown them what you could do to hack the Chrome, these guys and girls from the suits want to know more about you personally. Where have you come from, what do you do for a living. After all you might not have a living. :-)

And when the government is done arresting all the security experts (in this fantasy world of yours), who do they hire to keep us safe from cyberterrorists and hackers hired by foreign governments?

Have you come face to face with a known cyberterrorist in your experiences? When was the last time you got hacked? None? Then why worry about it? It's a fantasy for the government to locked up all the security experts/hackers. They wish they have, it'll never happened and you know that. So why worry about it?

George W. Bush had a thing used to called Preemptive Strike that got my knees shaking. The suits still here. I supposed you haven't forgotten what that meant have you? It meant to have you locked up before you even make your first move. That's what that meant. Saddam got it on him.

Our local police departments have a unit which called itself something like Provision Detail. What those guys doing in that Detail is to lock you up before you make your first strike. That unit also got my knees shaking. Matter of fact as of this typing, my knees were shaking. Well at least one of my knee was. :-)

Google may have a good intention on this contest. Bless them. I hope they got what they wanted. Our big brothers don't necessary have a good sense of humor to play along on this contest. They don't play. When you've shown them what you could do to hack the Chrome, these guys and girls from the suits want to know more about you personally. Where have you come from, what do you do for a living. After all you might not have a living. :-)

And when the government is done arresting all the security experts (in this fantasy world of yours), who do they hire to keep us safe from cyberterrorists and hackers hired by foreign governments?

Have you come face to face with a known cyberterrorist in your experiences? When was the last time you got hacked? None? Then why worry about it? It's a fantasy for the government to locked up all the security experts/hackers. They wish they have, it'll never happened and you know that. So why worry about it?

George W. Bush had a thing used to called Preemptive Strike that got my knees shaking. The suits still here. I supposed you haven't forgotten what that meant have you? It meant to have you locked up before you even make your first move. That's what that meant. Saddam got it on him.

Our local police departments have a unit which called itself something like Provision Detail. What those guys doing in that Detail is to lock you up before you make your first strike. That unit also got my knees shaking. Matter of fact as of this typing, my knees were shaking. Well at least one of my knee was. :-)

Google may have a good intention on this contest. Bless them. I hope they got what they wanted. Our big brothers don't necessary have a good sense of humor to play along on this contest. They don't play. When you've shown them what you could do to hack the Chrome, these guys and girls from the suits want to know more about you personally. Where have you come from, what do you do for a living. After all you might not have a living. :-)

Thanks for the wiki link.

I'm still rofling about the guy's name being Evolution; as though someone with any sort of evolution going on would be simultaneously aware of the governments secret plans and unable to compose a thought that clearly explains why he's afraid of said secret plans.

Hacking isn't illegal, hacking when your intention or goal is damage or cost to someone else IS illegal. Playing with Chrome in your basement and finding a 0 day hack for it and then practicing it so you can do it at this expo has broken no crime whatsoever. Everyone on the internet knows the government is too busy chasing after file-sharers to arrest hackers too!

Hacking isn't illegal, hacking when your intention or goal is damage or cost to someone else IS illegal. Playing with Chrome in your basement and finding a 0 day hack for it and then practicing it so you can do it at this expo has broken no crime whatsoever. Everyone on the internet knows the government is too busy chasing after file-sharers to arrest hackers too!

Indeed, what evolution fails to understand that it's not illegal to pay someone to bypass a lock on your OWN home. Otherwise every single locksmith would be arrested.

There is no difference here, Google own the browser, and all it's asking is a few locksmiths see if they can break in.

Evolution may be right to doubt the sincerity of Google about their intentions, although the way he expresses it does make him seem paranoid. I suspect he may be right because the United States would really like to unmask Anonomous and get them all rounded up and dealt with through the courts. This may be just another initiative designed to do just that as the existing law enforcement techniques are exhausting their usefulness. Think about the problem for a minute: how do you identify hackers of exceptional skill who are able to keep their identities a secret and stay one step ahead of the industry? How about setting up a competition with a large cash prize that would utilise just the right skills to identify such a person. Once identified and registered, you'd put them under constant (digital) surveillance, awaiting their supposed next big hack, to catch them in the act. It would be what's called a 'sting operation'.

Evolution may be right to doubt the sincerity of Google about their intentions, although the way he expresses it does make him seem paranoid. I suspect he may be right because the United States would really like to unmask Anonomous and get them all rounded up and dealt with through the courts. This may be just another initiative designed to do just that as the existing law enforcement techniques are exhausting their usefulness. Think about the problem for a minute: how do you identify hackers of exceptional skill who are able to keep their identities a secret and stay one step ahead of the industry? How about setting up a competition with a large cash prize that would utilise just the right skills to identify such a person. Once identified and registered, you'd put them under constant (digital) surveillance, awaiting their supposed next big hack, to catch them in the act. It would be what's called a 'sting operation'.

The problem with this theory is that most of what Anonymous have done so far has fallen into the categories of 1) social engineering, 2) brute forcing crappy passwords, or 3) using already known exploits on unpatched servers, ergo no actual exploit research of their own needed. Almost none of what they've done is the kind of work previously seen at pwn2own, so you're unlikely to find any of them at such a competition.

Almost none of what they've done is the kind of work previously seen at pwn2own, so you're unlikely to find any of them at such a competition.

The problem is not with the theory at all, the problem is that nobody can say for sure if what you've said is the case, because nobody knows who these people are, not even you. Not even members will know who the other members really are. If you were in law enforcement and you were looking for these people, you'd set up traps in the hacking community in attempts to snare them. Competitions with big money prizes could well be honeypots, designed to draw talented hackers onto a register so their movements and activities can be tracked. These tactics are used throughout the world in other areas of law enforcement and are very successful.

Furthermore, nobody knows for sure what exploits these people are using. I would guess it's a whole bag of tricks. Perhaps Chrome is suspected as an attack vector in one of the incidents (or more). Who's to say.